471 lines
11 KiB
Django/Jinja
471 lines
11 KiB
Django/Jinja
## General WAN Rules
|
|
config rule
|
|
option name 'Allow-DHCP-Renew'
|
|
option src 'wan'
|
|
option proto 'udp'
|
|
option dest_port '68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-Ping'
|
|
option src 'wan'
|
|
option proto 'icmp'
|
|
option icmp_type 'echo-request'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-DHCPv6'
|
|
option src 'wan'
|
|
option src_ip 'fe80::/10'
|
|
option src_port '547'
|
|
option proto 'udp'
|
|
option dest_ip 'fe80::/10'
|
|
option dest_port '546'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-ICMPv6-Input'
|
|
option src 'wan'
|
|
option proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
list icmp_type 'router-solicitation'
|
|
list icmp_type 'neighbour-solicitation'
|
|
list icmp_type 'router-advertisement'
|
|
list icmp_type 'neighbour-advertisement'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
option limit '1000/sec'
|
|
|
|
config rule
|
|
option name 'Allow-ICMPv6-Forward'
|
|
option src 'wan'
|
|
option dest '*'
|
|
option proto 'icmp'
|
|
list icmp_type 'echo-request'
|
|
list icmp_type 'echo-reply'
|
|
list icmp_type 'destination-unreachable'
|
|
list icmp_type 'packet-too-big'
|
|
list icmp_type 'time-exceeded'
|
|
list icmp_type 'bad-header'
|
|
list icmp_type 'unknown-header-type'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
option limit '1000/sec'
|
|
|
|
## SSH from VINCI rules
|
|
config rule
|
|
option name 'Allow-Input-SSH-VINCI'
|
|
option src 'wan'
|
|
option src_ip '{{ vinci_ipv6_out }}'
|
|
option proto 'tcp'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-SSH-VINCI'
|
|
option src 'wan'
|
|
option src_ip '{{ vinci_ipv6_out }}'
|
|
option proto 'tcp'
|
|
option dest 'lan'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
### DMZ Rules
|
|
## General Rules
|
|
# ICMP
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option dest 'dmz'
|
|
option proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'dmz'
|
|
option proto 'icmp'
|
|
option target 'ACCEPT'
|
|
|
|
config rule
|
|
option name 'Allow-ICMP'
|
|
option src 'dmz'
|
|
option proto 'icmp'
|
|
option dest '*'
|
|
option target 'ACCEPT'
|
|
|
|
# DHCP rules
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option dest 'dmz'
|
|
option dest_port '67-68'
|
|
option proto 'tcpudp'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-DMZ-DHCP'
|
|
option src 'dmz'
|
|
option proto 'tcpudp'
|
|
option dest_port '67-68'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# DNS Resolution
|
|
config rule
|
|
option name 'Allow-INPUT-DNS'
|
|
option src 'dmz'
|
|
option proto 'tcpudp'
|
|
option dest_port '53'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
# NTP
|
|
config rule
|
|
option name 'Allow-OUTPUT-NTP'
|
|
option src 'dmz'
|
|
option proto 'udp'
|
|
option dest 'wan'
|
|
option dest_port '123'
|
|
option target 'ACCEPT'
|
|
|
|
# Web traffic OUT
|
|
config rule
|
|
option name 'Allow-OUTPUT-Web'
|
|
option src 'dmz'
|
|
option proto 'tcpudp'
|
|
option dest 'wan'
|
|
option dest_port '80 443'
|
|
option target 'ACCEPT'
|
|
|
|
# SSH traffic IN
|
|
config rule
|
|
option name 'Allow-INPUT-SSH'
|
|
option src 'wan'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_port '22'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
## Specific rules
|
|
# Allow IPv4 Web traffic IN
|
|
config redirect
|
|
option name 'Allow-INPUT-v4-HTTP'
|
|
option src 'wan'
|
|
option src_dport '80'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '80'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-v4-HTTPS'
|
|
option src 'wan'
|
|
option src_dport '443'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '443'
|
|
option target 'DNAT'
|
|
|
|
# Allow Web traffic IN
|
|
{% for host in groups['webservers'] %}
|
|
config rule
|
|
option name 'Allow-INPUT-{{ host }}-Web'
|
|
option src 'wan'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '80 443'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
{% endfor %}
|
|
|
|
# Allow traffic to and from bt.dmz.mateu.be
|
|
config rule
|
|
option name 'Allow-OUTPUT-BT'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option proto 'tcpudp'
|
|
option dest 'wan'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-OUTPUT-BT'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option proto 'tcpudp'
|
|
option dest 'wan'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-BT'
|
|
option src 'wan'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '10010'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-BT'
|
|
option src 'wan'
|
|
option src_dport '10010'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '10010'
|
|
option target 'DNAT'
|
|
|
|
# Allow traffic to Proxmox VE interface
|
|
{% for host in groups['hypervisors'] %}
|
|
config rule
|
|
option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}'
|
|
option src 'wan'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '8006'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
{% endfor %}
|
|
|
|
# Allow XMPP traffic
|
|
config rule
|
|
option name 'Allow-OUTPUT-XMPP-s2s'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}'
|
|
option proto 'tcpudp'
|
|
option dest 'wan'
|
|
option dest_port '5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-OUTPUT-XMPP-s2s'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option proto 'tcpudp'
|
|
option dest 'wan'
|
|
option dest_port '5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-XMPP-c2s'
|
|
option src 'wan'
|
|
option src_dport '5222'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '5222'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-XMPP-s2s'
|
|
option src 'wan'
|
|
option src_dport '5269'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '5269'
|
|
option target 'DNAT'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-XMPP-c2s+s2s'
|
|
option src 'wan'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '5222 5269'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
# Allow Mumble traffic
|
|
config rule
|
|
option name 'Allow-INPUT-mumble'
|
|
option src 'wan'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '64738'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-mumble'
|
|
option src 'wan'
|
|
option src_dport '64738'
|
|
option proto 'tcpudp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '64738'
|
|
option target 'DNAT'
|
|
|
|
# Allow mail traffic
|
|
config rule
|
|
option name 'Allow-OUTPUT-SMTP'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option proto 'tcp'
|
|
option dest 'wan'
|
|
option dst_port '25'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
|
|
option src 'wan'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '25 465 587'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config rule
|
|
option name 'Allow-INPUT-IMAP+IMAPS'
|
|
option src 'wan'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
|
|
option dest_port '143 993'
|
|
option target 'ACCEPT'
|
|
option family 'ipv6'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SMTP'
|
|
option src 'wan'
|
|
option src_dport '25'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '25'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SMTPS'
|
|
option src 'wan'
|
|
option src_dport '465'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '465'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-SUBMISSION'
|
|
option src 'wan'
|
|
option src_dport '587'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '587'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-IMAP'
|
|
option src 'wan'
|
|
option src_dport '143'
|
|
option proto 'tcp'
|
|
option dest 'dmz'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '143'
|
|
option target 'DNAT'
|
|
|
|
config redirect
|
|
option name 'Allow-INPUT-IMAPS'
|
|
option src 'wan'
|
|
option src_dport '993'
|
|
option proto 'tcp'
|
|
option dest 'lan'
|
|
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option dest_port '993'
|
|
option target 'DNAT'
|
|
|
|
# Allow Munin traffic
|
|
config rule
|
|
option name 'Allow-INPUT-Munin'
|
|
option src 'dmz'
|
|
option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
|
|
option proto 'tcp'
|
|
option dest_port '4949'
|
|
option target 'ACCEPT'
|
|
option family 'ipv4'
|
|
|
|
## Default configuration
|
|
config defaults
|
|
option syn_flood '1'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
|
|
## Zone configuration
|
|
config zone
|
|
option name 'lan'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'ACCEPT'
|
|
option network 'lan'
|
|
|
|
config zone
|
|
option name 'dmz'
|
|
option input 'REJECT'
|
|
option output 'REJECT'
|
|
option forward 'REJECT'
|
|
option network 'dmz'
|
|
|
|
config zone
|
|
option name 'wan'
|
|
option input 'REJECT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option network 'vpn'
|
|
option masq '1'
|
|
option mtu_fix '1'
|
|
|
|
config zone
|
|
option name 'orig'
|
|
option input 'REJECT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option network 'wan'
|
|
option masq '1'
|
|
option mtu_fix '1'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'wan'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'dmz'
|
|
|
|
config forwarding
|
|
option src 'lan'
|
|
option dest 'orig'
|
|
|
|
config include
|
|
option path '/etc/firewall.user'
|
|
|
|
config include 'miniupnpd'
|
|
option type 'script'
|
|
option path '/usr/share/miniupnpd/firewall.include'
|
|
option family 'any'
|
|
option reload '1'
|
|
|